The credentials can be for example One Time Authentication Codes (OTACs) such as Transaction Numbers (TANs). Furthermore, credentials can be for example Personal Identification Numbers (PINs), passwords, activation codes or strong key material.
One time authentication codes with paper based scratch lists of transaction authentication numbers are popular in the field of online transactions. Paper based scratch lists are both relatively insecure and inconvenient to access. Typically, a scratch list is sent from a service provider such as a bank to a customer via plain mail. A mailed scratch list can be intercepted en route to the customer and copied. In addition, many customers cannot be relied upon to store scratch lists in a secure location such as a safe. This is especially the case where the scratch list is used regularly. A regularly used scratch list may be left in the open, on a desk for example. This provides others with access to the scratch list. If a scratch list is carried by a customer, it may be lost or stolen. OTACs on scratch lists are not usually encrypted. Customer account numbers, which are generally combined with an OTAC to effect a transaction, are widely regarded as being publicly known. It is inconvenient for many customers to manually keep track of which OTACs have been used. When moving from one scratch list to another, customers need to temporarily store or carry two scratch lists. This enhances security risk. Furthermore, paper based scratch lists are complicated for the issuing service providers to print and mail in a timely manner.
WO98/37524 describes a transaction method using a mobile device. This method employs International Debit User Identification (IDUI) numbers to identify individual accounts. The IDUI is analogous to a customer bank account number. Specifically, the IDUI is pre-loaded onto a credit/debit card. During operation, a point of sale (POS) terminal reads the IDUI from a credit/debit card and displays an amount to be deducted from an identified account. The customer completes the transaction by pressing an OK button of the POS terminal. The POS terminal sends a transaction receipt to a server in the bank responsible for the account. WO98/37524 proposes pre-storing the IDUI on a Subscriber Identification Module (SIM) smart card as used in GSM mobile phone networks instead of on a magnetic strip or memory card. The IDUI is then read from the smart card by the terminal in a contact-less manner. Transaction receipts are sent to the server for verification by SMS messages. This scheme discusses only the uses of IDUIs for transactions with POS terminals via a contact-less interface and exchanging SMS messages for transaction verification. The scheme is not suitable for OTAC delivery. This is because IDUIs are fixed for each account. OTACs, however, are not. Similar electronic payment systems are described in EP1 176 844, WO99/16029, WO00/49585, WO01/09851, WO02/21464, and WO01/93528.
EP 1559256 B1 describes a method of providing a user device with a set of access codes. According to this method a strong symmetrical key such as a 16 byte Data Encryption Standard (DES) key is used for the encryption of the access codes.